The Hacker News — Cyber Security, Hacking, Technology News

Apple has patched the security flaw in its Find My iPhone online service that may have allowed hackers to get access to a number of celebrities' private pictures leaked online.

OVER 100 CELEBRITIES AFFECTED

So far, I hope everybody have heard about probably the biggest digital exposure of personal nude photographs belonging to as many as 100 high-profile celebrities, including Jenny McCarthy, Kristin Dunst, Mary E Winstead, and the Oscar winning actress Jennifer Lawrence and Kate Upton.

Initial reports suggested that the privacy breach of the celebrities’ iCloud accounts was made possible by a vulnerability in Find My iPhone feature that allowed hackers to allegedly take nude photographs of celebrities from their Apple iCloud backups.

Anonymous 4chan users who claims to have grabbed images, posted some of the images to the “b” forum on notorious bulletin-board 4chan, where the owners demanded Bitcoin in exchange for a peek of the images.

The anonymous 4chan user sparked the scandal on Sunday after dumping a large cache of female celebrities' alleged naked photographs onto the 4chan online forum, an online message board used for sharing pictures. As a result of the leak, the nude photographs and videos of female celebrities are apparently being widely circulated on the internet.

After the story broke by the mainstream media, the affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton came forward to react on the matter. Within 12 hours, the web has been awash with private and some very personal photographs of celebrities.

WHERE THE VULNERABILITY RESIDES

On August 30, just a day before the massive leak, proof-of-concept code for an AppleID password bruteforce was uploaded to the GitHub by a mobile security team HackApp. What a coincident! Isn’t it?

The proof-of-concept code for the exploit is known as iBrute. The code exploited a vulnerability in Apple’s Find My iPhone application sign in page. The flaw let hackers to flood the site with multiple number of password attempts without being locked out and by using brute-force techniques, hackers could guess the password used to protect those celebrities accounts. Apple patched the vulnerability early on September 1.

FINALLY APPLE REACTED

Apple has acknowledged the attack, but did not address the vulnerability discussed here. The company issued a press release stating that iCloud or Find my iPhone had not been responsible for the leak of several private and personal photos of celebrities.

Rather it said that the celebrities photo breach was a "very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."

IS APPLE’S TWO FACTOR AUTHENTICATION EFFECTIVE

Apple is encouraging its users to make use of its two-factor authentication service in an effort to prevent security-question based attacks on their accounts.

There is no doubt that two-factor verification makes it more difficult for hackers to obtain a user's login credentials in the first place, thereby preventing many attacks. But an iCloud backup can be installed with just a user name and a password, making two-factor authentication process incomplete.

Unfortunately, Apple’s two-factor authentication currently doesn’t protect against the kind of attack that was used in this case. It does not cover many other iCloud services, including backups. As noted by TechCrunch, the only three things two-factor secures in iCloud are:

Signing in to My Apple ID to manage their Apple account

Making iTunes, App Store, or iBookstore purchases from a new device

Receiving Apple ID-related support from Apple

In fact, it doesn’t make you enter a verification code if you restore a new device from an iCloud backup. And this security hole is what the hackers are taking advantage of.

Using an application like ElcomSoft's software to download an iPhone's backup successfully, one can circumvent two-factor verification mechanism, because of the fact that the two-factor authentication system does not cover iCloud backups or Photo Stream.

HOW TO PROTECT YOURSELF

For users to protect against upcoming threats, follow these advices:

Whatever be the case with two-factor verification process, you have to enabled it because doing this will definitely add an extra layer of security to your account.

Try using different passwords for different accounts so that if one breached, you are not all lost.

Use a complex password and do not share it with anyone.

Same applies in case of email, use a private email for your ID — one that you don’t share with anyone.

Don’t click on links provided in emails, visit the given website directly from web.

Don’t share your personal information over social networks at any cost.

Most importantly, use completely incorrect or random answers to password reset questions, so that nobody could guess it right.

With a need to give more controls in users’ hands, LinkedIn has introduced a few new security features that the company says will help users of the social network for professionals keep their accounts and data more secure.

SESSION ALERTS

Just like Google, Facebook, Yahoo and other online services, LinkedIn has added a new option within the settings tab that allows users to see where and on what devices they are logged into their account. From there, users can sign out of various sessions with one click.

This will include details about the users’ current sessions, the browser name, operating system, carrier and IP address, which is used to give an approximate location of the device through which the session is occurring.

Just like the Facebook feature, LinkedIn lets people to approve the devices to be used, and if somebody accesses a user’s LinkedIn account from an unapproved device it will alert user.

PASSWORD ALERTS

LinkedIn has also introduced its password change email alerts. Like many online services, LinkedIn will now alert users via an email when their password reset has initiated, and when it has been changed. It will also give you a sense of where that request originated as well.

“The added information gives your more insight into when and where the account change took place, including the date and time and details on the device the device the changes were made on such as the browser it was running, the Operating System (OS), IP address, and approximate physical location,” LinkedIn's head of privacy and security Madhu Gupta explained in a blog post.

REQUEST YOUR DATA ARCHIVE

Furthermore, LinkedIn is making users’ stored data totally accessible to the users who created it, so that users can export it and see their each and every activity and account history, including who invited you to join, when you last logged in, updates, IP records and many more.

In short, you can request access to your archive of activity and data on LinkedIn and it may take 72 hours for LinkedIn to compile the archive, after which you’ll receive an email with a link to your entire data.

“We are in the process of rolling these three new tools out globally now and encourage you to take a look at your settings today to see two of these new tools. It's also a good opportunity to remind yourself of all your settings and make sure they are right for how you are using LinkedIn now,” wrote Gupta.

Good news for Firefox lovers! The Mozilla Foundation has introduced a bunch of new features in Firefox to improve browser security with the launch of Firefox 32, now available for Windows, Mac, Linux, and Android platforms.

The new version of Firefox makes the browser even more competitive among others. Firefox version 32 has some notable security improvements, including a new HTTP cache for improved performance, public key pinning - a defense that would help protect its users from man-in-the-middle and other attacks, and easy language switching on Android.

PUBLIC KEY PINNING ENABLED BY-DEFAULT

In the latest Firefox version 32, Mozilla has enabled Public Key Pinning support by default that will protect its users from man-in-the-middle-attacks and rogue certificate authorities.

Public key pinning is a security measure that ensures people that they are connecting to the websites they intend to. Pinning allows users to keep track of certificates in order to specify which certificate authorities (CAs) have issued valid certificates for their sites, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.

According to Mozilla, Pinning will improve the security of implementations such as TLS. It “allows site operators to specify which CAs issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.”

“If any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal. When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error,” Firefox said in a blog post.

Moreover, a bunch of 1024-bit trust certificates have been removed from the list that Firefox trusts.

HTTP CACHE IMPROVES PERFORMANCE

The new version include a new HTTP cache, which was first made into the code base back in May in the Nightly builds and beta versions and now arrived in a stable release. This is probably the biggest addition in the latest update, since it brings improved performance and better crash recovery to all platforms.

Improvements:

request prioritization optimized for first-paint time,

ahead of read data pre-loading to speed up large content load,

delayed writes to not block first paint time,

pool of most recently used response headers to allow 0ms decisions on reuse or re-validation of a cached payload,

The new Firefox 32 for Android lets you switch between any of 55 languages, regardless of which language the user originally downloaded the browser in and of the locales supported by your device, without restarting the application. Mozilla also added six more languages in this release: Armenian, Basque, Fulah, Icelandic, Scottish Gaelic and Welsh.

The latest update also lets you easily clear your app’s browsing history at the end of every browsing session by tapping the new option at the bottom of your History home screen page.

The full change log is provided here. There's also a number of security advisories addressed in the latest Firefox version 32.

Firefox version 32 is made available on the Firefox official website. All existing users should be able to upgrade to it automatically.

LA-based domain name registrar and hosting company Namecheap warned its customers on Monday that cybercriminals have begun accessing their accounts by using the list of credentials gathered from third-party websites.

The Hosting company confirmed the security breach and informed that the hackers have compromised some of its customers’ accounts, probably using the "biggest-ever" password theft via Russian Hackers that disclosed list of 1.2 billion usernames and passwords compiled by Russian CyberVor Gang.

The gang appears to have broken into at least 420,000 websites vulnerable to SQL injection attacks, among other techniques, in order to fetch majority of these credentials.

GOOD NEWS - NAMECHEAP BECOME AWARE OF THE ATTACK SOON

Namecheap said it had become aware of the ongoing attacks, thanks to the company’s intrusion detection systems that alerted them to a "much higher than normal load against our login system [using] username and password data gathered from third party sites that were trying to be used to try and gain access to Namecheap.com accounts.”

The invaders were trying multiple times to log in to a number of accounts until they get the right combination and access. While most of their attempts were failed but some appear to be successful, prompting Namecheap to suspend some users’ accounts in the fear that it may have been compromised as well as blocking over 30,000 IP addresses associated with the attack, as detailed in on the corporate blog of the hosting firm.

FAKE BROWSER USED IN MASSIVE BREACH

It is believed that the hackers behind the attack are using the stored usernames and passwords to simulate a web browser login through fake browser software. This software replicates the actual login procedure a customer would use if they are making use of Firefox, Safari, or Chrome browsers to access their Namecheap account.

“The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts. The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed,” the company said in a blog post entitled, Urgent Security Warning.

“As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.”

Namecheap believed that the hacking attack is linked to the Russian CyberVor gang and is not at all related to the recent data breaches such as the high-profile Target breach or the Adobe attack.

HOW TO PROTECT YOURSELF

“Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable,” said Matt Russell, vice president of hosting company.

Russell encourages Namecheap customers to enable two-factor authentication when they regain access to their Namecheap account. Two-factor authentication has been enabled at other web hosting companies as users look for ways to add an extra layer of security to their hosting and email accounts.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Now this gonna be the height of Privacy Breach! Nude images of several high-profile persona including actors, models, singers and presenters have been made available online in a blatant hacking leak linked to the Apple iCloud service.

The recent privacy breach appears to be one of the biggest celebrity privacy breaches in history and represents a serious offense and violation of privacy. A hacker allegedly breached Apple’s iCloud service and copied the personal photos of at least 100 high-profile stars.

WHO IS BEHIND IT

The anonymous hacker, using the name Tristan, sparked the scandal on Sunday after dumping a large cache of female celebrities' alleged naked photographs onto the 4chan online forum, an online message board used for sharing pictures.

The list of those celebrities allegedly affected, whose nudes photographs are supposedly in this cache, is very long that includes Jenny McCarthy, Rihanna, Kristin Dunst, Kate Upton, the American actress Mary E Winstead, and the Oscar winning actress Jennifer Lawrence.

As a result of the leak, the nude photographs and videos of female celebrities are apparently being widely circulated on the internet. took to the ‘deep web’ where the images are thought to have first been posted a week ago to say he had to ‘move location’.

HOW ALL THIS BEGIN

The anonymous hacker behind the leaked images scandal posted a brief statement saying that they were going to bed because "s*** was getting real."

On Sunday evening, the anonymous user began posting the nude images of dozens of celebrities on 4chan website. It is still unclear how the photographs ended up online, but the anonymous hacker may have obtained more than 423 nude images of over a 100 celebrities without their permission.

Within hours Twitter was awash with hundreds of thousands of tweets about the photographs which are also alleged to include Brits Michelle Keegan, Cara Delevigne, Cat Deeley and Kelly Brook.

CELEBS ADMITTED - SNAPS ARE REAL

The 24-year-old Hunger Games and X-Men actress Jennifer Lawrence icluding several others have confirmed that the leaked photographs are genuine, while some celebrities have disputed the authenticity of the images.

The superstar Jennifer Lawrence's representative previously reported that Lawrence’s photographs were stolen, calling the hacking act as “a flagrant violation of privacy.” The spokesperson also added, “The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

Mary Elizabeth Winstead from Final Destination 3 was also been victim of the hack. The actress took to Twitter to react to having her images exposed.

Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.
— Mary E. Winstead (@M_E_Winstead) August 31, 2014

ANONYMOUS HACKER RESPONDED

The anonymous 4Chan user confirmed that the current privacy breach was a conspiracy which involved more than one individual and “the result of several months of long and hard work.”

“Guys, just to let you know I didn't do this by myself,” wrote the anonymous hacker in the post thread just after midnight on Monday. “There are several other people who were in on it and I needed to count on to make this happened (sic). This is the result of several months of long and hard work by all involved. We appreciate your donations and applaud your excitement. I will soon be moving to another location from which I will continue to post.”

FBI BEGAN INVESTIGATION

In a statement issued on Monday afternoon, the FBI said that it had begun investigating the whole matter.

“The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.”

HOW PHOTOGRAPHS WERE OBTAINED

It is believed that the leaked photographs of high-profile celebs were apparently obtained by the hackers via a massive hack of Apple's iCloud. The nude images then posted on 4chan websites by its users offering more explicit material in exchange for bitcoin payments.

The hacker on 4chan is also claiming to have over 60 nude selfies and an explicit sex film of the Oscar-winning actress, Jennifer Lawrence, which is available for a fee in Bitcoins.

NO RESPONSE FROM APPLE

Apple has declined to comment. It has not yet confirmed that its iCloud service was involved in the alleged leak.

The encryption of Apple on general data is considered to be robust, but access to it could be gained if an attacker is able to guess a users' passwords, which can be have obtained by using ‘brute force’ attack or ‘social engineering’ trick.

An account can alternatively be easily accessed by resetting a user's account by finding their email address and then answering traditional ‘security questions.’